TIF loaded as doc, handled by quicktime, not blocked in Fx2
TIF loaded as doc, handled by quicktime, not blocked in Fx2
NS 1.9.9.36
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
-
Giorgio Maone
- Site Admin
- Posts: 9526
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: TIF loaded as doc, handled by quicktime, not blocked in Fx2
Sample page?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7 (.NET CLR 3.5.30729)
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: TIF loaded as doc, handled by quicktime, not blocked in Fx2
Sort of confirmed using NoScript 1.9.9.37 on Fx 2.0.0.20
http://aiw2.uspto.gov/.aiw?docid=us2005 ... 0050177789
The image has the placeholder, as expected, but middle-clicking on the placeholder opens the tiff fully displayed in a new tab instead of the new tab just having a placeholder.
In Fx 3.5.7 the new tab has a placeholder, as expected.
On the other hand, a tiff image isn't active content, is it? Is there any security breach or is this just a difference in how it's handled by NoScript in the two different versions of Firefox.
Note that tiff has to be enabled in QuickTime's MIME settings, which doesn't seem to be the default.
Edit: My Fx 2.0.0.20 crashed while I was repeating the tests.
http://aiw2.uspto.gov/.aiw?docid=us2005 ... 0050177789
The image has the placeholder, as expected, but middle-clicking on the placeholder opens the tiff fully displayed in a new tab instead of the new tab just having a placeholder.
In Fx 3.5.7 the new tab has a placeholder, as expected.
On the other hand, a tiff image isn't active content, is it? Is there any security breach or is this just a difference in how it's handled by NoScript in the two different versions of Firefox.
Note that tiff has to be enabled in QuickTime's MIME settings, which doesn't seem to be the default.
Edit: My Fx 2.0.0.20 crashed while I was repeating the tests.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7
Re: TIF loaded as doc, handled by quicktime, not blocked in Fx2
there is no page, just a local tif, google ext:tif
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20
Re: TIF loaded as doc, handled by quicktime, not blocked in Fx2
?
...Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.8pre) Gecko/20100114 SeaMonkey/2.0.3pre
-
Alan Baxter
- Ambassador
- Posts: 1586
- Joined: Fri Mar 20, 2009 4:47 am
- Location: Colorado, USA
Re: TIF loaded as doc, handled by quicktime, not blocked in Fx2
http://forums.informaction.com/viewtopi ... 288#p14288
Giorgio Maone wrote:We should add that you can't do anything about it, short than disabling image display.therube wrote:So whatever exploits that may exist against a gif render-er, I guess could be exploited.
On the other hand, Jpeg, GIF and PNG decoders are relatively simple and tested enough today to make a viable exploit very unlikely, especially if compared to how easy is mounting an attack against Javascript or plugins.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.7) Gecko/20091221 Firefox/3.5.7